From patchwork Thu Dec 22 23:35:22 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xi Wang X-Patchwork-Id: 132916 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id CBAB6B71B9 for ; Fri, 23 Dec 2011 10:35:39 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753486Ab1LVXf2 (ORCPT ); Thu, 22 Dec 2011 18:35:28 -0500 Received: from mail-iy0-f174.google.com ([209.85.210.174]:58853 "EHLO mail-iy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751334Ab1LVXf1 (ORCPT ); Thu, 22 Dec 2011 18:35:27 -0500 Received: by iaeh11 with SMTP id h11so14171680iae.19 for ; Thu, 22 Dec 2011 15:35:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=SpdCppeTk3hceH7XTFAd7iaU9aoyb7VShURcrXHa4QY=; b=WuInXgc6SJ1TQ1suWa3V8NcFfOWFZ5Z6q8ZTIDRWanSt3W7JYX6lSwMiVCgY4Tvy5n YNx+65F8yKsi57P1vtCDHNWgNGjp87b+Bheeq+F1/ZfZq0i75fQyKSz0QhXeZGZ9LnTV zdK/vAYSFNFg047AWRVyrThbzk9YRRj3J0tdU= Received: by 10.43.52.129 with SMTP id vm1mr4760665icb.15.1324596926894; Thu, 22 Dec 2011 15:35:26 -0800 (PST) Received: from vpn-18-101-16-213.mit.edu (VPN-18-101-16-213.MIT.EDU. [18.101.16.213]) by mx.google.com with ESMTPS id x18sm34128032ibi.2.2011.12.22.15.35.23 (version=SSLv3 cipher=OTHER); Thu, 22 Dec 2011 15:35:24 -0800 (PST) Message-ID: <4EF3BEBA.4040402@gmail.com> Date: Thu, 22 Dec 2011 18:35:22 -0500 From: Xi Wang User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Eric Dumazet CC: Tom Herbert , "David S. Miller" , netdev@vger.kernel.org Subject: [PATCH v2] rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() References: <1324493459-19764-1-git-send-email-xi.wang@gmail.com> In-Reply-To: <1324493459-19764-1-git-send-email-xi.wang@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang --- net/core/net-sysfs.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index c71c434..385aefe 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -665,11 +665,14 @@ static ssize_t store_rps_dev_flow_table_cnt(struct netdev_rx_queue *queue, if (count) { int i; - if (count > 1<<30) { + if (count > INT_MAX) + return -EINVAL; + count = roundup_pow_of_two(count); + if (count > (ULONG_MAX - sizeof(struct rps_dev_flow_table)) + / sizeof(struct rps_dev_flow)) { /* Enforce a limit to prevent overflow */ return -EINVAL; } - count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); if (!table) return -ENOMEM;